Can I get robust XSS protection in CF11 that I can apply to an entire site without touching every query or input?

Question

So I'm currently using CF11 and CFWheels 1.1, the "Global Script Protection"(GSP) server feature does an awful job of covering the XSS bases. I would like to extend it to block any and all tags/vectors for JS from being inserted into the database.

CF11 offers antiSamy protection via the getSafeHTML() function which applies a xml policy file specified in application.cfc but I would still need to modify every single varchar cfqueryparam in the application to use it right?

Is there a way to get CF11 to enable the antisamy features server or application wide in a similar way that the GSP feature works? What I mean by this is GSP automatically strips tags out of input submitted to the app without having to modify all the queries/form actions. I'd like a way to apply the antisamy policy file or getSafeHTML() in the same way.

Thanks!

Answer 1

The solution as implemented for a cfwheels 1.1 app:

I used the slashdot file from https://code.google.com/p/owaspantisamy/downloads/list

This goes in application.cfc:

<cfcomponent output="false">
    <cfset this.security.antisamypolicy="antisamy-slashdot-1.4.4.xml">      
    <cfinclude template="wheels/functions.cfm">     
</cfcomponent>

This goes in the /ProjectRoot/events/onrequeststart.cfm file

    function xssProtection(){
var CFversion = ListToArray(SERVER.ColdFusion.productversion);
if(CFversion[1]GTE 11){
    for(var key in form) {
        if(not IsJSON(form[key])){
            form[key] = getSafeHTML(form[key]);
        }
    }
    for(var key in url) {
        if(not IsJSON(url[key])){
            url[key] = getSafeHTML(url[key]);
        }
    }
}

} xssProtection();

Answer 2

Why would you have to apply it to every one? You would only need to do it for string (varchar) inputs and only when inserting. And even then, you wouldn't use it everywhere. For example, if you ask for my name and bio, there is no reason why you would want html, even "good" html, in my name. So I'm sure you already use something there to escape all html or simply remove it all. Only for a field like bio would you use getSafeHTML.

Validation is work. You (typically) don't want a "all at once" solution imo. Just bite the bullet and do it.

If you did want to do it, you can use onRequestStart to automatically process all keys in the form and url scope. This is written by memory so it may have typos, but here is an example:

function onRequestStart(string req) {
    for(var key in form) { form[key] = getSafeHTML(form[key]); }
    for(var key in url) { url[key] = getSafeHTML(url[key]); }
}

Answer 3

I agree with Ray, validation is work, and it is very important work. If you could have a server wide setting it would be way to generalized to fit all situations. When you do your own validation for specific fields you can really narrow down the attack surface. For example, assume you have a form with three fields; name, credit card number, social security number. With one server wide setting it would need to be general enough to allow all three types of input. With your own validation you can be very specific for each field and only allow a certain set of characters; name - only allows alpha characters and space, credit card number - only allows digits, space, dash and must conform to the mod rule, social security number - only allows digits and dash in 3-2-4 format. Nothing else is allowed.

That being said, I just wanted to point out that the "Global Script Protection" rules can be customized. That setting works by applying a regular expression that is defined in the cf_root/lib/neo-security.xml file in the server configuration, or the cf_root/WEB-INF/cfusion/lib/neo-security.xml file in the JEE configuration to the variable value. You can customize the patterns that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns variable.

The default regular expression is defined as:

<var name='CrossSiteScriptPatterns'>
    <struct type='coldfusion.server.ConfigMap'>
        <var name='&lt;\s*(object|embed|script|applet|meta)'>
            <string>&lt;InvalidTag</string>
        </var>
    </struct>
</var>

Which means, by default, the Global Script Protection mechanism is only looking for strings containing <object or <embed or <script or <applet or <meta and replacing them with <InvalidTag. You can enhance that regular expression to look for more cases if you want.

See Protecting variables from cross-site scripting attacks section on this page